Actions
Bug #3746
closedbsize needs to err upon non possible matching conditions (4.1.x)
Affected Versions:
Effort:
Difficulty:
Label:
Description
The following does not err (but it should)
cat bsize.rules
alert http any any -> any any (msg:"bsize test TEST"; http.uri; content:"abcdefgh123456"; bsize:2; sid:111; rev:1;)
/opt/suritest/bin/suricata -l log/ -S bsize.rules --engine-analysis ; cat log/rules_analysis.txt
[693058] 27/4/2020 -- 22:19:00 - (suricata.c:1056) <Notice> (LogVersion) -- This is Suricata version 6.0.0-dev (eef776087 2020-04-27) running in USER mode
-------------------------------------------------------------------
Date: 27/4/2020 -- 22:19:00
-------------------------------------------------------------------
== Sid: 111 ==
alert http any any -> any any (msg:"bsize test TEST"; http.uri; content:"abcdefgh123456"; bsize:2; sid:111; rev:1;)
Rule matches on http uri buffer.
App layer protocol is http.
Rule contains 0 content options, 1 http content options, 0 pcre options, and 0 pcre options with http modifiers.
Fast Pattern "abcdefgh123456" on "http request uri (http_uri)" buffer.
Warning: TCP rule without a flow or flags option.
-Consider adding flow or flags to improve performance of this rule.
/opt/suritest/bin/suricata -l log/ -S bsize.rules -T
[693188] 27/4/2020 -- 22:21:40 - (suricata.c:1582) <Info> (ParseCommandLine) -- Running suricata under test mode
[693188] 27/4/2020 -- 22:21:40 - (suricata.c:1056) <Notice> (LogVersion) -- This is Suricata version 6.0.0-dev (eef776087 2020-04-27) running in SYSTEM mode
[693188] 27/4/2020 -- 22:21:41 - (suricata.c:2752) <Notice> (SuricataMain) -- Configuration provided was successfully loaded. Exiting.
If urilen:2 is added it errors properly
[693684] 27/4/2020 -- 22:38:21 - (suricata.c:1582) <Info> (ParseCommandLine) -- Running suricata under test mode [693684] 27/4/2020 -- 22:38:21 - (suricata.c:1056) <Notice> (LogVersion) -- This is Suricata version 6.0.0-dev (eef776087 2020-04-27) running in SYSTEM mode [693684] 27/4/2020 -- 22:38:21 - (detect-urilen.c:356) <Error> (DetectUrilenValidateContent) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - depth or urilen 2 smaller than content len 14 [693684] 27/4/2020 -- 22:38:21 - (detect-engine-loader.c:184) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> any any (msg:"bsize test TEST"; http.uri; content:"abcdefgh123456"; urilen:2; sid:111; rev:1;)" from file bsize.rules at line 3 [693684] 27/4/2020 -- 22:38:21 - (detect-engine-loader.c:347) <Warning> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rules were loaded! [693684] 27/4/2020 -- 22:38:21 - (suricata.c:2154) <Error> (LoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed.
Updated by Jeff Lucovsky over 4 years ago
- Copied from Bug #3682: bsize needs to err upon non possible matching conditions added
Updated by Shivani Bhardwaj about 4 years ago
- Status changed from Assigned to In Review
Updated by Victor Julien about 4 years ago
- Status changed from In Review to Closed
Updated by Victor Julien about 4 years ago
- Subject changed from bsize needs to err upon non possible matching conditions to bsize needs to err upon non possible matching conditions (4.1.x)
- Status changed from Closed to Assigned
- Target version changed from 4.1.9 to TBD
Not yet fixed in master, so waiting for that for the backport.
Updated by Shivani Bhardwaj almost 4 years ago
- Status changed from Assigned to Rejected
Updated by Shivani Bhardwaj almost 4 years ago
The release happened without this feature in master so it could not have been backported then. Now, 4.1.x is EOL.
The original issue is supposed to be released in 7.0beta1.
Actions